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I. 


INTRODUCTION 


With  the  ubiquity  of  computer  information  processing,  the  deadliest  security 
vulnerability  is  literally  in  our  hands.  Can  we  create  a  security  patch  for  human  nature? 
Unauthorized  access  to  critical  and  even  life-threatening  data  is  prone  to  social 
engineering  attacks,  manipulation  of  authorized  users  to  gain  unauthorized  access  to  a 
valued  system  and  the  information  that  resides  on  it.  Social  engineering  attacks  are  not 
confined  to  military  defense  programs,  day-to-day  activities  such  as  banking  and  paying 
taxes  can  be  affected.  “[This]  report. .  .reveals  a  human  flaw  in  the  security  system  that 
protects  taxpayer  data.  More  than  one-third  of  Internal  Revenue  Service  employees  and 
managers... provided  their  computer  login  and  changed  their  password.”  (Dalrymple, 
2006). 

A.  OVERVIEW  OF  SOCIAL  ENGINEERING 

Intruders  are  always  on  the  lookout  for  ways  to  gain  access  to  valuable  resources 
such  as  computer  systems,  or  corporate  or  personal  information  on  them  that  can  be  used 
maliciously  for  the  attackers’  personal  gain.  Sometimes  they  get  their  chance  when  there 
are  genuine  gaps  in  the  security  that  they  can  breach.  Oftentimes,  they  get  through 
because  of  human  behaviors  such  as  trust  (when  people  are  too  trusting  of  others)  or 
ignorance  (people  who  are  ignorant  about  the  consequences  of  being  careless  with 
information).  Attackers  know  how  much  easier  it  is  to  trick  insiders  instead  of  targeting 
the  complex  technological  protections  that  we  spend  huge  monetary  sums  on.  Figure  1 
taken  from  (Hermansson,  2005)  illustrates  how  the  social  engineer  exploits  the  weakest 
link  of  a  computer  system,  the  human  user,  rather  than  directly  attacking  the  computer 
hardware. 
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Figure  1.  Why  Social  Engineer  (From  Hermansson,  2005) 


There  are  several  methods  that  the  malicious  individual  can  use  to  try  to  breach 
the  information  security  defenses  of  a  personal  computer  or  a  network  of  systems.  The 
human-centered  approach  termed  social  engineering  is  one  of  them.  There  are  two  main 
categories  under  which  all  social  engineering  attempts  can  be  classified:  computer  or 
technology-based  deception,  and  human  based  deception.  The  technology-based 
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approach  is  to  deceive  the  user  into  believing  that  he  is  interacting  with  a  bona  fide 
communication  entity  (another  user,  company,  or  website)  and  get  him  to  provide 
confidential  information.  For  example,  the  user  gets  a  popup  window,  informing  him  that 
the  computer  application  has  had  a  problem,  and  the  user  will  need  to  re-authenticate  in 
order  to  proceed.  Once  the  user  provides  their  identification  and  password  on  that  pop-up 
window,  the  harm  is  done.  The  attacker  who  has  created  the  popup  now  has  the  user’s 
identification  (ID)  and  password  and  can  access  the  network  and  the  computer  system. 
The  human-based  approach  is  done  through  deception,  by  taking  advantage  of  the 
victim’s  ignorance  and  the  natural  human  inclination  to  be  helpful  and  liked.  For  all 
intents  and  purposes,  the  technology-based  approach  is  what  this  thesis  will  refer  to  as 
social  engineering  and  the  human  based  approach  as  the  close  access  techniques. 

B.  SOCIAL  ENGINEERING  IMPLICATIONS 

Social  engineering  attacks  can  result  in  a  network  outage,  fraud,  identity  theft,  and 
industrial  espionage.  There  is  also  the  cost  of  loss  of  reputation  and  goodwill,  which  can 
erode  a  person’s  or  company’s  base  in  the  long  run.  For  example,  a  malicious  individual 
can  get  access  to  credit  card  information  that  an  online  vendor  obtains  from  customers. 
Once  the  customers  find  out  that  their  credit  information  has  been  compromised,  they 
will  not  want  to  do  anymore  business  with  that  vendor  because  the  site  is  considered 
insecure.  More  directly,  an  attacker  could  initiate  lawsuits  against  the  company  that  will 
lower  the  target’s  reputation  and  turn  away  clientele.  Security  experts  propose  that  as  our 
culture  becomes  more  dependent  on  information,  social  engineering  will  remain  the 
greatest  threat  to  any  security  system. 

Many  companies  conduct  safety  courses  and  testing  in  order  to  ensure  their 
employees  are  working  safely  and  responsibly,  however  few  companies  take  that  same 
stance  with  information  security.  They  neglect  to  remind  employees  about  the  ways 
"information  theft"  is  conducted.  Social  engineering  is  an  underestimated  security  risk 
rarely  addressed  in  employee  training  programs  or  corporate  security  policies. 
(McDermott,  2005) 
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C.  PURPOSE  OF  STUDY 

Over  the  past  few  years  of  operational  assessments  of  information  assurance  and 
interoperability,  social  engineering  and  close-access  techniques  have  proved  particularly 
effective  at  allowing  Red  Team  and  Opposing  Force  personnel  to  gain  access  to  sensitive 
and  secure  areas,  often  in  spite  of  doctrinally  sound  Force  Protection  Plans.  Previous 
assessment  showed  that  current  tactics,  techniques,  and  procedures  with  their  associated 
training  do  not  adequately  address  the  social  engineering  and  close-access  threats.  This 
research  assessment  will  examine  social  engineering  and  close-access  techniques  for 
elements  that  may  lead  to  “pattern  recognition”  or  improved  probabilities  of  detection.  It 
will  try  to  provide  guidelines  for  policymakers  in  fighting  the  threats. 

Policymakers  and  management,  alike,  must  understand  the  importance  of 
developing  and  implementing  well-rounded  security  policies  and  procedures.  They  must 
understand  that  all  amounts  of  money  spent  on  software  patches,  security  hardware 
upgrade,  and  audits  will  be  useless  without  adequate  prevention  of  social  engineering 
attacks.  Having  clear-cut  policies  to  counter  social  engineering  attacks  alleviates  the 
employee’s  responsibility  to  make  judgment  calls  regarding  an  attacker's  requests. 
Simply,  if  the  solicited  deed  is  prohibited  by  written  policy,  a  target  employee  is  bound 
by  company  rules  to  deny  the  attacker's  request. 

D.  ORGANIZATION  OF  PAPER 

This  thesis  contains  six  chapters.  Chapter  II  gives  the  background  information  to 
properly  understand  how  social  engineering  works  and  describes  its  various  forms. 
Chapter  III  discusses  other  work  in  the  area  that  attempts  to  solve  the  problem.  Chapter 
IV  will  propose  our  social  engineering  taxonomy,  its  trust  and  attack  models,  and  how 
each  model  can  be  used  for  social  engineering  prevention.  Chapter  V  will  present  our 
social-engineering  encoding  scheme  and  use  it  to  analyze  the  cases  presented  in 
Mitnick’s  “The  Art  of  Deception.”  Chapter  VI  concludes  by  summarizing  the  key  issues 
and  conclusions  drawn  in  this  thesis  and  postulates  areas  for  future  work. 
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II.  BACKGROUND 


In  this  chapter,  the  first  section  gives  an  outline  of  social  engineering  and  its 
categories.  The  next  section  provides  an  in-depth  review  of  close-access  techniques  used 
to  obtain  trust  via  human  face-to-face  interaction.  The  next  section  considers  technology- 
based  techniques.  The  last  section  discusses  intelligence-gathering  methods  independent 
of  human  or  technology  focus. 

A.  INTRODUCTION 

Kevin  Mitnick,  a  notorious  social  engineer,  sums  it  up  nicely,  “You  could  spend  a 
fortune  purchasing  technology  and  services. ..and  your  network  infrastructure  could  still 
remain  vulnerable  to  old-fashioned  manipulation.”  The  focus  of  security  is  trust  in 
protection  and  authenticity.  Why  is  the  weakest  link  in  the  security  chain  between  the 
keyboard  and  chair?  The  natural  human  willingness  to  accept  someone  at  his  or  her  word 
leaves  us  vulnerable  to  intrusions  of  a  social  engineer. 

The  fundamental  goals  of  social  engineering  are  the  same  as  computer  hacking:  to 
gain  unauthorized  access  to  systems  or  information  in  order  to  commit  fraud,  network 
intrusion,  industrial  espionage,  identity  theft,  or  simply  to  disrupt  the  system  or  network. 
The  key  to  social  engineering  is  knowing  the  jargon,  the  corporate  infrastructure,  and 
human  nature.  A  good  attacker  exudes  such  confidence  that  few  challenge  him  or  his 
requests  for  seemingly,  innocuous  information.  Typical  targets  include  big-name 
corporations  and  financial  institutions,  military  and  government  agencies,  and 
infrastructure  providers  (hardware,  software,  communication,  voice  mail  vendors).  The 
Internet  boom  had  its  share  of  industrial  engineering  attacks  in  start-up  companies,  but 
attacks  generally  focus  on  larger  entities  with  high- valued  assets  (Granger,  2001). 

Even  though  any  social  engineering  involves  exploiting  someone’s  trust,  there  are 
two  main  categories:  a  human-based  approach  and  a  computer  or  technology-based 
approach.  The  human-based  approach  is  done  through  face-to-face  communications,  by 
taking  advantage  of  the  victim’s  ignorance  and  the  natural  human  inclination  to  be 
helpful  and  liked.  The  technology-based  approach  deceives  the  user  through  electronic 
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communication.  We  will  call  the  human-based  approach  the  close-access  technique,  and 
the  technology-based  approach,  social  engineering. 

Besides  these  two  categories  are  two  common  methods  of  obtaining  confidential 
information  that  are  not  centered  on  technology  or  face-to-face  interaction:  open-source 
research  and  covert  searches  or  "dumpster  diving”.  Although  collecting  open-source 
information  on  the  Internet  uses  technology,  this  method  does  not  require  human 
manipulation. 

B.  CLOSE-ACCESS  TECHNIQUES 

Many  organizations  only  plan  for  attacks  directly  against  physical  or  technical 
resources  and  ignore  the  threat  from  attacks  via  human  resources.  Close-access 
techniques  use  face-to-face  manipulation  to  gain  physical  access  to  computer  systems 
and,  ultimately,  the  information  contained  in  them.  We  are  referring  to  the  manner  in 
which  the  attack  is  carried  out,  emphasizing  how  to  create  the  perfect  psychological 
environment  for  the  attack. 

Typically,  successful  social  engineers  have  great  people  skills.  The  main 
objective  is  to  convince  the  target,  a  person  knowing  some  valuable  information,  that  the 
attacker  is  a  trusted  person  that  has  a  need  to  know.  Often  an  attacker  exploits  people’s 
ignorance  of  the  value  of  the  information  they  possess  and  their  carelessness  about 
protecting  this  seemingly  innocuous  data.  These  close-access  techniques  from  (Granger, 
2001)  include:  friendliness,  impersonation,  conformity,  decoying,  diffusion  of 
responsibility,  and  reverse  social  engineering.  Reciprocity,  consistency,  and  scarcity  are 
proposed  in  (Cialdini,  2001).  In  addition,  our  research  adds  sympathy,  guilt, 
equivocation,  ignorance,  and  affiliation  to  the  set  of  trust  ploys  used  to  gain  access  and 
information. 

1.  Friendliness 

A  fundamental  close-access  technique  to  obtain  information  is  just  to  be  friendly. 
Because  people  tend  to  comply  readily  with  individuals  they  know  and  like,  any  social 
engineer  is  most  effective  emphasizing  factors  that  increase  their  overall  attractiveness 
and  likeability.  The  average  user  wants  to  believe  their  colleagues  and  wants  to  help,  so 
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the  attacker  really  only  needs  to  be  cordial  and  convincing.  Beyond  that,  most  employees 
respond  in  kind,  especially  to  women.  Often  times,  slight  flattery  or  flirtation  might  even 
help  soften  up  the  target  employee  to  co-operate  further.  A  smile  or  a  simple  “thank  you” 
usually  seals  the  deal. 

2.  Impersonation 

Impersonation  means  creating  a  character  and  playing  out  the  role  to  deceive 
others  and  gain  some  advantage.  The  simpler  the  role,  the  better.  Sometimes  this  could 
mean  just  calling  someone  up  and  saying:  “Hi,  I’m  Bob  in  Information  Technology  (IT), 
and  I  need  your  password.”  Other  times,  the  attacker  will  study  a  real  individual  in  an 
organization  and  wait  until  that  person  is  out  of  town  to  impersonate  him  over  the  phone 
or  even  in  person.  Industrious  attackers  with  a  high-valued  target  may  even  use  an 
electronic  device  to  disguise  their  voices  and  study  speech  patterns  and  organizational 
charts.  Common  roles  impersonated  include  a  repairman,  an  IT  support  person,  a 
manager,  a  trusted  third  party,  and  a  fellow  employee.  For  example,  someone  alleging  to 
be  the  CEO’s  secretary  calls  to  say  that  the  CEO  okayed  her  requesting  certain 
information.  In  a  big  organization,  this  is  not  that  hard  to  do.  It  is  difficult  to  know 
everyone,  and  IDs  and  entrance  badges  are  easy  to  fake  with  the  right  tools. 

We  will  not  use  impersonation  as  a  specific  attack  toolkit  item  since  it  seems  to  be 
used  in  most  close-access/social  engineering  attacks,  with  an  attacker  pretending  to  be 
someone  or  something,  such  as  a  legitimate  website,  to  exploit  the  target’s  trust. 

3.  Conformity 

Conformity  is  the  tendency  to  see  an  action  as  appropriate  when  others  are  doing 
it.  This  close-access  technique,  also  known  as  social  proof,  can  be  used  to  convince  a 
target  to  give  out  information  by  informing  him  that  other  associates  are  or  have  been 
complying  with  the  same  request.  When  people  are  uncertain,  they  are  more  likely  to  use 
other’s  actions  to  decide  how  they  themselves  should  act,  especially  if  the  compared 
individual  or  group  is  similar  to  the  target. 
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4.  Diffusion  of  Responsibility 

When  individuals  believe  that  many  others  are  present  or  have  done  a  similar  act, 
they  as  individuals  do  not  bear  the  full  burden  of  responsibility.  When  a  social  engineer 
attacks  in  such  a  way  as  to  seemingly  diffuse  the  responsibility  of  the  employee  giving 
the  password  away,  it  alleviates  the  stress  on  the  employee  and  makes  it  easier  for  them 
to  comply. 

5.  Decoys 

We  are  human  and  are  limited  in  what  we  can  focus  our  attention  on  at  any 
moment.  A  social  engineer  can  exploit  this  limitation  by  decoys  or  distractions  to 
conceal  what  they  are  truly  seeking.  If  a  target  is  diverted  from  their  usual  security  focus, 
the  attacker  can  obtain  the  illicit  information  more  easily. 

6.  Reverse  Social  Engineering 

A  more  advanced  method  of  gaining  information  is  when  the  attacker  creates  a 
persona  such  that  employees  will  ask  him  or  her  for  information  rather  than  the  other  way 
around.  This  technique  requires  a  great  deal  of  preparation  and  research  beforehand.  If 
researched,  planned  and  executed  well,  reverse  social-engineering  attacks  offers  the 
attacker  a  safe  way  of  obtaining  valuable  data  from  the  target  employees  since  the  victim 
is  initiating  transactions.  The  decision  to  comply  to  a  reverse  social-engineering  sting  is 
steered  by  the  reciprocity  rule.  This  compels  the  target  to  repay,  in  kind,  what  the 
attacker  has  provided  as  a  favor. 

The  three  phases  of  reverse  social-engineering  attacks  are  sabotage,  advertising, 
and  assisting  (Nelson,  2001).  For  example,  the  attacker  sabotages  a  network,  causing  a 
problem  to  arise.  The  attacker  then  advertises  that  he  can  fix  the  problem.  When  the 
attacker  comes  to  fix  the  problem,  he  requests  certain  bits  of  information  from  the  target 
employees  to  get  what  he  really  came  for.  The  victims  may  never  know  that  the  purported 
problem  solver  was  a  social  engineer,  because  their  network  problem  goes  away. 
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8.  Commitment  and  Consistency 

In  seeking  compliance,  securing  an  initial  commitment  from  a  victim  is  key. 
People  have  a  natural  tendency  to  honor  commitments.  A  savvy  social  engineer  realizes 
that  people  are  more  willing  to  agree  to  further  requests  that  are  in  keeping  with  prior 
commitments. 

9.  Scarcity 

People  assign  more  value  to  opportunities  when  they  are  less  available.  In  a 
social-engineering  attack,  a  target  can  be  pressured  to  give  out  information  when  he 
thinks  help  from  normal  channels  is  only  available  for  a  limited  time,  say  before  close  of 
business. 

10.  Authority 

Several  impersonation  roles  fall  under  the  category  of  someone  with  authority. 
Historically,  we  are  socialized  with  a  deep-seated  sense  of  duty  to  authority,  because  such 
obedience  constitutes  correct  conduct.  We  readily  attribute  knowledge,  wisdom,  and 
power  to  authoritative  figures,  so  an  attacker  portraying  a  set  of  these  characteristics  can 
be  more  convincing. 

11.  Sympathy 

Sympathy  is  usually  the  sharing  of  unhappiness  or  suffering.  Additionally,  it 
implies  concern,  or  a  wish  to  alleviate  negative  feelings  others  are  experiencing.  An 
attacker  eliciting  that  he  needs  help  can  win  over  a  target’s  sympathy,  by  encouraging  the 
target  to  let  down  his  guard  and  offer  the  requested  information. 

12.  Guilt 

One  definition  of  guilt  is  the  feeling  of  obligation  for  not  pleasing,  not  helping,  or 
not  placating  another.  Additionally,  it  is  the  acceptance  of  responsibility  for  someone 
else's  misfortune  or  problem  because  it  is  bothersome  to  see  that  someone  suffers.  A  sly 
social  engineer  can  convince  the  target  that  they  will  suffer  greatly  if  the  request  is  not 
granted. 
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13.  Equivocation 

This  technique  exploits  a  clear  sentence,  spoken  or  typed,  that  has  two  meanings. 
When  the  perceived  meaning  of  individual  words  is  different  from  that  which  is  intended, 
either  the  whole  sentence  is  given  new  meaning  or  it  loses  meaning.  An  equivocal 
statement  or  question  starts  out  sounding  reasonable  and  gets  the  target  to  agree  to  certain 
ideas  or  request  by  deliberately  attempting  to  create  uncertainty  or  ambiguity.  After  that, 
the  meanings  of  key  terms  are  changed,  thus  causing  the  victim  to  agree  to  things  they 
would  have  never  accepted  at  the  beginning. 

14.  Ignorance 

Pretending  to  be  uninformed  to  manipulate  a  victim  to  give  information  is  another 
popular  close-access  technique.  A  common  example  is  the  impersonation  of  a  new 
company  or  departmental  employee  who  does  not  know  the  processes  of  the  new 
environment. 

15.  Affiliation 

Some  attackers  use  name  dropping  to  establish  credibility,  to  proclaim  association 
with  collective  organizations,  or  suggest  being  in  the  inner  circle  of  acceptance.  This 
self-promotion  reduces  the  target’s  suspicion  of  the  attacker  motives. 

C.  ONLINE  SOCIAL  ENGINEERING 

While  the  art  of  social  engineering  may  have  been  mastered  before  the  invention 
of  technology  and  computers,  the  Internet  is  a  fertile  ground  for  social  engineers  looking 
to  gather  valuable  information.  With  the  proliferation  of  poorly-secured  computers  on 
the  Internet  and  publicly  known  security  holes,  the  majority  of  security  compromises  are 
done  by  exploiting  vulnerable  computers.  Computer  attacks  that  do  not  use  social 
engineering  is  commonly  termed  hacking.  This  is  a  more  direct  attack  using  hardware 
and  software  methods  and  programming  tricks  to  break  a  security  feature  on  the  system 
itself.  Generally,  hacking  requires  above-average  computer  skills  and  takes  much  longer 
than  simply  obtaining  an  authorized  user’s  ID  and  password. 

Social  engineering  for  online  information  often  focuses  on  obtaining  passwords. 
While  the  typical  social  engineering  attempt  would  be  to  gain  trust  and  just  ask  for  the 
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password,  many  technical  methods  can  also  be  used  to  gain  password  information 
without  the  owner’s  permission.  An  ongoing  weakness  that  makes  these  attacks 
successful  is  that  many  users  often  repeat  the  use  of  one  simple  password  on  every 
Internet  account,  even  their  financial  institutions.  Several  methods  can  gain  password 
information. 

1.  Awards 

Another  way  in  which  attackers  can  obtain  personal  information  is  through  online 
forms  that  solicit  information:  Attackers  can  send  out  enticing  offers  or  “awards”  and  ask 
the  user  to  enter  their  name,  e-mail  address,  and  even  account  passwords. 

2.  Pop-up  Windows 

Pop-up  windows  can  be  installed  by  attackers  to  look  like  part  of  the  network  and 
request  that  the  user  reenter  his  username  and  password  to  fix  some  sort  of  problem. 

3.  Network  Sniffing 

Sniffing  means  examining  network  traffic  for  passwords.  A  person  doing  sniffing 
generally  gains  the  confidence  of  someone  who  has  authorized  access  to  the  network,  to 
help  reveal  information  that  compromises  that  networks  security.  Then,  the  attacker  can 
monitor  a  screen  until  an  unsuspecting  target  types  in  their  account  information. 

4.  Email 

Email  can  be  used  for  more  direct  means  of  gaining  access  to  a  system.  For 
instance,  mail  attachments  can  carry  malicious  software  that  can  gather  personal 
information  without  the  user  knowing.  Trojan  horses,  viruses,  and  worms  can  be  slipped 
into  the  e-mail  body  or  attachments  to  solicit  usernames  and  passwords. 

5.  Phishing 

Phishing  is  a  form  of  social  engineering  which  involves  using  e-mail  and  websites 
designed  to  look  like  those  of  well-known  legitimate  businesses,  financial  institutions, 
and  government  agencies,  to  deceive  users  into  disclosing  their  account  information. 
These  phony  websites  are  simulations  that  appear  to  be  login  screens,  but  are  not. 

Graphics  and  format  can  be  copied  from  legitimate  sites  to  make  them  highly  convincing. 
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Once  trust  is  established,  a  phisher  tries  to  obtain  sensitive  personal,  financial, 
corporate  or  network  information.  Many  attackers  target  financial  or  retail  organizations, 
but  military  targets  are  increasing  (especially  highly  targeted  phishing  called  "spear 
phishing").  Phishing  can  try  to  lure  consumers  into  revealing  their  personal  and  financial 
data  such  as  social- security  numbers,  bank  and  credit-card  account  information,  and 
details  of  online  accounts  and  passwords.  A  spoofed  e-mail  could  ask  you  for  billing 
information  or  other  personal  records,  supposedly  from  a  high-ranking  employee.  The 
attacker  could  e-mail  thousands  of  online  customers  as  the  head  of  a  corporation  asking 
them  to  send  in  their  passwords  because  some  files  were  lost.  Phishing  can  also  be  very 
useful  to  an  state-level  adversary  for  spying  or  sabotage. 

6.  Harvesting  Networks 

Another  tactic  of  social  engineering  is  to  use  social-network  websites  such  as 
myspace.com  and  friendster.com  to  harvest  freely  available  personal  data  about 
participants,  and  then  use  the  data  in  scams  such  as  fraud  and  money  laundering. 

D.  INTELLIGENCE  GATHERING 

1.  Open-Source  Research 

Much  historical  and  background  information  can  be  obtained  before  even  talking 
to  any  person  by  simply  surfing  target  web  sites  and  looking  up  the  target  on  search 
engines  such  as  Google.  For  businesses,  employee  e-mail  addresses  and  phone  numbers, 
organizational  charts,  executive  titles,  and  financial  information  are  often  publicly 
available.  Some  even  have  pictures  of  executives  on  their  website,  along  with  their 
phone  number  and  e-mail  address. 

2.  Dumpster  Diving 

Dumpster  diving,  also  known  as  trashing,  is  another  popular  method  of  collecting 
information  without  interfacing  with  people  or  technology.  A  huge  amount  of 
information  can  be  collected  through  company  or  individual  dumpsters.  Potential  security 
leaks  in  our  trash  include  “phone  books,  organizational  charts,  memos,  policy  manuals, 
calendars  of  meetings,  events  and  vacations,  system  manuals,  printouts  of  sensitive  data 
or  login  names  and  passwords,  printouts  of  source  code,  disks  and  tapes,  company 
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letterhead  and  memo  forms,  and  outdated  hardware”  (Granger,  2001).  Phone  books  can 
give  the  attackers  names  and  numbers  of  people  to  target  and  impersonate. 
Organizational  charts  contain  information  about  people  who  are  in  positions  of  authority 
within  the  organization.  Memos  provide  small  tidbits  of  useful  information  for  faking 
authenticity.  Policy  manuals  show  attackers  how  secure  (or  insecure)  the  company  really 
is.  Calendars  may  tell  attackers  which  employees  are  out  of  town  at  a  particular  time. 
System  manuals,  sensitive  data,  and  other  sources  of  technical  information  may  give 
attackers  the  exact  keys  they  need  to  unlock  the  network.  Outdated  hardware,  particularly 
hard  drives,  can  often  be  restored  to  provide  all  sorts  of  useful  information. 
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III.  PREVIOUS  MODELS  OF  SOCIAL  ENGINEERING 


Social  engineering,  obtaining  information  by  human  trust  manipulation,  has  been 
used  for  centuries,  but  there  is  little  formalized  theory  in  this  area.  The  closest  research 
work  associated  is  found  in  the  area  of  trust.  The  first  section  provides  a  detailed 
assessment  of  the  essential  role  that  trust  plays  in  a  successful  social  engineering  ploy  and 
recognizes  previous  trust  models.  The  second  section  discusses  the  current  prevention 
recommendations  from  computer  security  and  social  engineering  experts. 

A.  TRUST 

Social  engineering  uses  human  error  and  weakness  to  gain  access  to  a  system 
despite  the  layers  of  defensive  security  controls  that  have  been  implemented  via  physical 
safeguards,  hardware,  and  software.  Since  a  crucial  objective  is  to  convince  the  person 
disclosing  the  information  that  the  attacker  is  a  trusted  person  that  has  a  need  to  know, 
trust  is  an  important  topic  to  cover  to  fully  understand  a  social  engineer. 

Trust  is  subjective;  there  may  always  be  hidden  factors,  intentional  or 
subconsciously,  behind  a  decision  to  trust  or  not.  To  deal  with  the  immense  data 
processing  of  everyday  life,  we  must  use  shortcuts  to  sort  through  all  the  information  and 
make  judgments  accordingly.  “Quite  a  lot  of  laboratory  research  had  shown  that  people 
are  more  likely  to  deal  with  information  in  a  controlled  fashion  when  they  have  both  the 
desire  and  the  ability  to  analyze  it  carefully;  otherwise,  they  are  likely  to  use  the  easier 
click ,  whirr  approach”  (Chen  &  Chaiken,  1999;  Petty  &  Wegener,  1999).  This  click, 
whirr  approach  is  characterized  by  fixed-action  patterns  where  a  set  of  behaviors  occurs 
in  the  same  fashion  and  in  the  identical  order,  as  if  these  patterns  are  recorded  on  tapes. 
“ Click  and  the  appropriate  tape  is  activated;  whirr  and  out  rolls  the  standard  sequence  of 
behaviors”  (Cialdini,  2001).  When  we  are  rushed,  stressed,  uncertain,  indifferent, 
distracted,  or  fatigued,  we  tend  to  resort  to  shortcuts  rather  than  extensive  analysis.  As  a 
result,  “much  of  the  compliance  process  (wherein  one  person  is  spurred  to  comply  with 
another  person’s  request)  can  be  understood  in  terms  of  a  human  tendency  for  automatic, 
shortcut  responding”  (Sztompka,  1999),  making  us  vulnerable  to  trust  manipulation. 
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1.  Trust  Definitions 

Previous  research  on  trust  does  not  clearly  differentiate  among  factors  that 
contribute  to  trust,  trust  itself,  and  outcomes  of  trust  (Cook  &  Wall,  1980;  Kee  &  Knox, 
1970).  We  will  focus  on  the  relationship  between  two  parties,  not  necessarily  two 
individuals,  and  the  reasons  why  a  trustor  (trusting  party)  would  trust  a  trustee  (party  to 
be  trusted).  The  act  of  trust  may  start  out  as  a  unilateral  expectation  and  commitment,  but 
the  trusting  results  in  a  relationship.  To  understand  the  extent  to  which  a  person  is 
willing  to  trust  another  person,  three  crucial  areas  must  be  examined: 

1.  the  trustor’s  propensity  to  trust; 

2.  the  trustor’s  perception  of  the  trustee’s  benevolence,  reputation,  performance, 
and  appearance;  and 

3.  the  environment  circumstances. 

a.  Relationship 

According  to  Sztompka,  trust  is  a  bet  about  the  future  contingent  actions 
of  others.  Trust  results  from  the  idea  of  individual  freedom;  one  person  does  not  have 
direct  control  over  others.  In  general,  people  have  choices  and  are  not  confined  to 
another  person’s  dictates.  The  more  available  options  people  face,  the  less  predictable 
are  the  decisions  they  take.  But  relationships  between  people  limit  the  options  to  those 
acceptable  to  others.. 

b.  Trustor 

Trust  liberates  and  mobilizes  human  agency,  and  releases  creative, 
uninhibited,  innovative,  entrepreneurial  activisms  toward  other  people  (Luhmann,  1979). 
Traits  of  the  trustor  will  determine  how  easily  that  individual  will  trust  another  party. 
This  measure  of  a  person’s  willingness  to  trust  is  known  as  propensity  to  trust.  The 
crucial  problem  for  the  trustor  is  the  lack  of  sufficient  information  on  all  relevant  aspects 
of  the  situation.  Since  the  estimate  of  the  potential  gain  or  loss  is  not  easily  predicted, 
risk  comes  into  play.  This  risk-taking  opens  the  door  for  a  social  engineer  to  exploit. 
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c. 


Trustee 


An  attacker  must  appear  trustworthy  to  the  target  victim,  the  trustor.  We 
recognize  four  factors  (Sztompka,  1999  &  Mayer,  1995)  that  affect  an  attacker’s 
perceived  trustworthiness:  benevolence,  reputation,  performance,  and  appearance. 
Trustworthiness  correlates  with  the  motivation,  or  lack  of,  to  lie.  Benevolence  signifies 
this  motivation  of  the  trustee  toward  the  trustor,  i.e.  good  or  bad  intentions.  Reputation 
refers  to  past  deeds  such  as  affiliation.  Performance  refers  to  present  conduct  such  as  the 
trustee’s  current  position  or  job  title.  Appearance  refers  to  external  features,  dress, 
actions,  and  worldly  possessions  (or  lack  of).  Last  but  not  least,  environment  is  discussed 
in  the  next  section  at  length  because  it  is  not  an  internal  characteristic  of  the  trustee.  The 
higher  the  trustee’s  benevolence,  reputation,  performance,  and  appearance,  the  more 
likely  the  trustor  would  comply  to  a  request  of  the  trustee,  the  social  engineer. 

d.  Environment 

In  the  arena  of  social  engineering  and  trust  building,  the  situational 
circumstance  plays  a  vital  role  in  how  the  attacker  convinces  the  trustor  of  his 
trustworthiness.  This  circumstance  includes  the  level  of  information  asked  for,  the 
knowledge  of  its  value,  and  the  state  of  mind  of  the  trustor.  “The  trustor’s  perception 
and  interpretation  of  the  context  of  the  relationship  will  affect  both  the  need  for  trust  and 
the  evaluation  of  trustworthiness”  (Mayer,  1995).  This  adaptability  of  an  attacker’s 
tactics  is  what  makes  a  social  engineering  attack  dynamic,  making  prevention  methods 
harder. 

e.  Risk 

Risk,  or  having  something  vested  in  an  outcome,  is  a  requisite  to  trust 
(Deutsch,  1958).  “A  specific  quality  of  exchange  involving  trust  is  the  presence  of  basic 
uncertainty  or  risk.”  (Sztompka,  1999)  Trust  is  inversely  proportional  to  the  perceived 
uncertainty  or  risk  involved.  As  our  trust  in  an  attacker  increases,  the  risk  they  pose  to  us 
decreases,  making  us  more  prone  to  comply  with  their  wishes.  An  example  of  this 
inverse  relationship  often  occurs  in  situations  involving  female  social  engineers  because 
society  perceives  women  to  be  less  harmful,  i.e.  less  risky,  than  men. 
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f.  Culture 

Our  globalizing  society  fosters  interdependence  so  people  must  depend  on 
others,  sometimes  strangers,  in  various  ways  to  accomplish  their  personal  and 
professional  goals.  Due  to  massive  migrations,  tourism,  and  travel  we  encounter  and  are 
surrounded  by  much  diversity.  Trust  encourages  tolerance,  acceptance  of  strangers  and 
recognizes  differences  as  acceptable.  Additionally,  trust  is  a  good  strategy  to  deal  with 
the  anonymity  and  complexity  of  institutions,  organizations,  technological  systems,  and 
the  increasingly  global  scope  of  their  operations.  The  need  for  trust  grows  as  networks 
become  more  complex  (Luhmann,  1979).  Trust  is  culturally  functional  because  it 
encourages  sociability,  participation,  and  fosters  a  feeling  of  order  and  security. 

g.  Internet 

Social  engineering  capitalizes  on  people's  inability  to  keep  up  with  a 
culture  that  relies  heavily  on  information  technology.  Online  transactions  including 
banking  and  shopping  eliminate  direct  human  contact.  The  businesses  realize  that  there 
is  no  e-business  without  trust.  This  proportional  relationship  between  trust  and 
information- sharing  brings  another  point  to  why  we  are  becoming  increasingly  prone  to 
social  engineering  attacks. 

Our  modern  era,  often  termed  The  Information  Age,  has  never  been  called 
The  Knowledge  Age.  Information  does  not  translate  directly  into 
knowledge.  It  must  first  be  processed-accessed,  absorbed,  comprehended, 
integrated,  and  retained  (Sztompka,  1999). 

As  a  result,  the  shortcut  measures  of  trust  (benevolence,  appearance,  performance, 
reputation,  and  situation)  are  increasingly  more  vulnerable  to  exploitation. 

2.  Previous  Trust  Models 

a.  An  Integrative  Model  of  Organizational  Trust 

(Mayer,  1995)  proposes  that  trust  is  the  willingness  of  a  party  to  be 
vulnerable  to  the  actions  of  another  party  based  on  the  expectation  that  the  other  will 
perform  a  particular  action  important  to  the  trustor,  irrespective  of  the  ability  to  monitor 
or  control  that  other  party.  Their  model  incorporates  the  dynamic  nature  of  trust  with  the 
feedback  loop  from  the  “Outcomes”  to  the  perceived  characteristics  of  the  trustee.  The 
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outcome  of  the  trusting  behavior  will  influence  trust  indirectly  through  the  perceptions  of 
ability,  benevolence,  and  integrity  at  the  next  interaction. 


Figure  2.  Integrative  Model  of  Organizational  Trust  (From  Mayer,  1995) 


In  Figure  2,  the  model  explicitly  considers  both  characteristics  of  the 
trustee  as  well  as  the  trustor.  It  differentiates  trust  from  its  outcome  of  risk-taking  in  the 
relationship.  Additionally,  this  model  distinguishes  between  factors  that  cause  trust  and 
trust  itself.  They  recognize  that  there  is  a  need  to  measure  the  willingness  to  be 
vulnerable  because  trust  is  this  willingness.  As  a  result,  this  model  illuminates  that  the 
level  of  trust  of  one  individual  for  another  and  the  level  of  perceived  risk  in  a  situation 
will  lead  to  risk  taking  in  the  relationship. 

b.  Trust  in  Virtual  Teams:  Towards  an  Integrative  Model  of  Trust 
Formation 

The  model  from  (Hung,  2004)  examines  the  three  possible  routes  to  trust: 
the  peripheral  route,  the  central  route,  and  the  habitual  route.  In  Figure  3,  the  three  routes 
to  trust  represent  the  gradual  shift  of  bases  for  trust  formation  over  time  as  one  gains 
personal  experience  and  knowledge  of  the  involved  parties.  While  prior  models 
describing  different  forms  of  trust  emphasize  trust  observed  at  different  points  in  time, 
this  model  integrates  the  different  forms  of  trust  and  focuses  on  the  dynamic  shifts  of 
trust  over  time  by  using  a  fundamental  theoretical  framework. 
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Central  Route 


Habitual  Route 


Figure  3.  Trust  Formation  in  Virtual  Teams  (From  Hung,  2004) 


c.  A  Distributed  Trust  Model 

In  another  model,  (Abdul-Rahman,  1997)  highlights  the  need  for  effective 
trust  management  in  distributed  systems,  and  proposes  a  distributed  trust  model  based  on 
recommendations.  A  Recommendation  is  a  communicated  trust  information  which 
contains  reputation  information.  Each  agent  stores  reputation  records  in  its  own  private 
database  and  uses  this  information  to  make  recommendations  to  other  agents.  They 
define  trust  as  “a  particular  level  of  the  subjective  probability  with  which  an  agent  will 
perform  a  particular  action,  both  before  [we]  can  monitor  such  action  (or  independently 
of  his  capacity  of  ever  to  be  able  to  monitor  it)  and  in  a  context  in  which  it  affects  [our] 
own  action”  (Gambetta,  1990).  Their  four  goals  were: 

1 .  To  adopt  a  decentralized  approach  to  trust  management. 

2.  To  generalize  the  notion  of  trust. 

3.  To  reduce  ambiguity  by  using  explicit  trust  statements. 
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4.  To  facilitate  the  exchange  of  trust-related  information  via  a 
recommendation  protocol. 

B.  PREVIOUSLY  PROPOSED  COUNTERMEASURES 

Since  social  engineering  is  an  attacker’s  manipulation  of  the  natural  human 
tendency  to  trust,  prevention  requires  education  and  constant  vigilance.  Even  though  the 
threat  is  common,  it  is  possible  to  keep  morale  high  and  have  a  mostly-trusting 
organization  culture  without  sacrificing  security.  There  are  existing  prevention  methods 
and  countermeasures  that  can  be  incorporated  into  day-to-day  business.  By  slightly 
changing  the  rules  of  the  daily  operations  and  having  organization-wide  buy-in  of  its 
importance,  social  engineering  attacks  can  be  made  far  less  often  successful. 

1.  Admittance 

Prevention  starts  with  problem  realization  and  is  dependent  on  educating  people 
about  the  value  of  information,  training  them  to  protect  it,  and  increasing  people's 
awareness  of  how  social  engineers  operate.  The  importance  of  training  employees 
extends  beyond  the  Help  Desk,  across  the  entire  organization.  Most  users  should  know 
not  to  send  passwords  in  clear  text  (if  at  all),  but  occasional  reminders  of  this  simple 
security  measure  from  the  System  Administrator  is  essential.  System  administrators 
should  warn  their  users  against  disclosing  any  account  or  personal  information  in  any 
fashion  other  than  a  face-to-face  conversation  with  a  staff  member  who  is  known  to  be 
authorized  and  trusted  (Granger,  2001). 

2.  Recognition 

To  foil  an  attack,  it  helps  to  recognize  a  social  engineering  ploy.  “Look  for  things 
that  don’t  quite  add  up.”  (Granger,  2002)  Several  signs  that  you  are  dealing  with  a  social 
engineer: 

a)  refusal  to  give  contact  information; 

b)  rushing; 

c)  name-dropping; 

d)  intimidation; 
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e)  small  mistakes  (misspellings,  misnomers,  odd  questions);  and 

f)  requesting  forbidden  information. 

3.  Contingency  Planning 

In  the  event  that  an  employee  detects  something  suspicious,  he  or  she  needs  to 
follow  procedures  in  place  for  reporting  the  incident.  It  is  important  for  one  person  to  be 
responsible  for  tracking  these  incidents.  Also,  that  employee  should  notify  others  who 
serve  in  similar  positions  as  they  may  be  threatened  as  well  (Granger,  2002). 

4.  Proactive  Security 

Avoiding  the  social-engineering  threat  requires  organizations  to  become  more 
security-centric,  or  ensure  they  have  a  strong  information  security  policy.  The  following 
suggestions  are  commonly  made:. 

a)  Conduct  ongoing  in-depth  information-security  training. 

b)  Be  suspicious  of  unsolicited  e-mail  messages,  phone  calls,  or  visits  from 
individuals  asking  about  employees  or  other  internal  information.  If 
dealing  with  an  unknown  person  claiming  to  be  from  a  legitimate 
organization,  verify  their  identity  directly  with  the  organization.. 

c)  Never  be  afraid  to  question  the  credentials  of  someone  claiming  to  work 
for  your  organization. 

d)  Install  and  maintain  firewalls,  anti-virus  software,  anti-spyware  software, 
and  e-mail  filters. 

e)  Pay  attention  to  the  URL  of  a  web  site.  Malicious  web  sites  generally  look 
identical  to  a  legitimate  site,  but  the  URL  may  use  a  variation  in  spelling 
or  a  different  domain. 

f)  Don't  send  sensitive  information  over  the  Internet  before  checking  a 
website’s  security. 
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g)  Don't  reveal  personal  or  financial  information  in  e-mail,  and  do  not 
respond  to  e-mail  solicitations  requesting  this  information.  This  includes 
following  links  sent  in  e-mail. 

h)  Don't  provide  personal  information  or  information  about  your  organization 
to  anyone,  including  the  structure  of  your  networks,  unless  you  are  certain 
of  a  person’s  authority  to  have  that  information. 

i)  Be  careful  about  what  is  provided  on  your  organization's  web  site.  Avoid 
posting  organizational  charts  or  lists  of  key  people  like  officers. 

j)  Shred  any  document  that  is  discarded  that  may  contain  sensitive  data. 

k)  Don't  allow  employees  to  download  from  anywhere  (McDermott,  2005). 

C.  SUMMARY 

Because  of  technological  advances,  information  available  to  people  is  burgeoning, 
choices  are  increasing,  and  knowledge  is  exploding.  These  factors  often  make  careful 
assessment  of  all  information-access  situations  impractical.  The  feeling  of  familiarity 
breeds  trust,  providing  the  feeling  of  security,  certainty,  predictability,  and  comfort. 
Personnel  often  turn  to  a  shortcut  approach  to  make  compliance  decisions,  using  a  single 
(typically  reliable)  piece  of  information.  The  most  reliable  and  therefore,  most  popular 
such  single  triggers  are  the  close  access  techniques  described  in  Chapter  II.  Social 
engineers  that  infuse  their  requests  with  one  or  more  of  these  techniques  are  more  likely 
to  get  the  information  that  they  are  after. 
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IV.  A  MODEL  OF  SOCIAL  ENGINEERING 


A.  INTRODUCTION 

Social  engineering  attacks  can  be  very  dynamic  and  often  vary  widely  depending 
on  the  attacker,  target  information,  victim,  and  environmental  circumstances. 

[A]  group  of  strangers  walked  into  a  large  shipping  firm  and  walked  out 
with  access  to  the  firm’s  entire  corporate  network.  [They]  obtained]  small 
amounts  of  access,  bit  by  bit,  from  a  number  of  different  employees.  First, 
they  did  research  about  the  company  for  two  days  before  even  attempting 
to  set  foot  on  the  premises  (Granger,  2001) 

By  asking  the  right  questions,  the  attackers  pieced  together  enough  information  to  aid  in 
their  infiltration  of  an  organization’s  network.  If  an  attacker  were  not  able  to  gather 
enough  information  from  one  source,  they  would  contact  another  source  within  the  same 
organization  and  rely  on  the  information  from  the  first  source  to  add  to  their  appearance 
of  credibility.  This  continues  until  the  attackers  have  enough  in  their  toolkit  to  access  the 
network  and  obtain  the  targeted  data. 

We  propose  two  models,  a  trust  model  and  an  attack  model,  for  what  a  social 
engineer  does  before,  during,  and  after  an  attack.  The  attack  model  is  recursive  because 
typical  attacks  require  more  than  one  looping  of  the  steps  to  achieve  the  end  goal.  The 
attack  model  can  call  on  the  trust  model  to  provide  the  attacker  another  conquered 
information  source,  direct  or  indirect. 

B.  TRUST  MODEL 

As  shown  in  Figure  4,  our  Trust  Model  describes  how  a  social  engineer 
establishes  a  trustworthy  relationship  with  a  person  that  has  needed  information  for  a 
social  engineering  attack.  Initially,  an  attacker  obtains  background  information  (freely 
available  if  possible)  about  the  target.  A  key  early  stage  in  the  trust  process  is  the 
receiver’s  (victim’s)  judgment  of  the  credibility  of  the  information  provided  by  the 
attacker.  From  Chapter  III,  three  prevalent  areas  stand  out  that  explain  trust: 
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1.  the  trustor’s  propensity  to  trust; 

2.  the  trustor’s  perception  of  the  trustee’s  benevolence,  reputation, 
performance,  and  appearance;  and 

3.  the  environmental  circumstances. 

Detailed  explanations  of  these  three  areas  are  given  in  Chapter  III,  A.  I.  Trust  Definitions. 
Traits  of  the  trustor  will  determine  how  easily  that  individual  will  trust  another  party. 
This  is  known  as  propensity  to  trust.  The  surrounding  environment  plays  a  vital  role  in 
convincing  the  trustor  that  the  attacker  is  trustworthy.  Environmental  factors  include  the 
level  of  information  being  requested,  the  trustor’s  knowledge  of  it’s  value,  and  the 
trustor’s  state  of  mind. 

Trustworthiness  correlates  with  the  motivation,  or  lack  of,  to  lie.  We  recognize 
four  factors  (Sztompka,  1999  &  Mayer,  1995)  that  affect  an  attacker’s  perceived 
trustworthiness:  benevolence,  reputation,  performance,  and  appearance.  Benevolence 
signifies  this  motivation  of  the  trustee  toward  the  trustor,  i.e.  good  or  bad  intentions. 
Reputation  refers  to  past  deeds  and  affiliations.  Performance  refers  to  present  conduct 
such  as  the  trustee’s  current  position  or  job  title.  Appearance  refers  to  external  features, 
dress,  actions,  and  worldly  possessions  (or  lack  thereof).  Source  (trustee  or  receiver), 
trustor,  and  the  circumstances  surrounding  the  attack  all  interact  in  the  assessment  of 
trusting.  Presenting  some  combination  of  these  character  traits  and  manipulating  the 
others,  the  trustee  convinces  the  target  that  he  is  a  trusted  person  that  has  a  need  to  know. 
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C.  ATTACK  MODEL 

Our  Attack  Model  illustrates  how  a  single  typical  information-gathering  attack  is 
carried  out  to  obtain  a  single  item  of  information,  a  kind  of  "subroutine"  for  a  class  of 
social-engineering  ploys.  Here  the  connections  between  nodes  represent  actions.  Trust 
of  a  victim  by  an  attacker  is  usually  developed  with  the  methods  of  the  Trust  Model  as  a 
precondition  to  most  of  the  steps  of  the  Attack  Model.  The  model  begins  when  the  social 
engineer  undertakes  some  research  on  the  target  individual  or  organization.  The 
information  gained,  even  if  not  helpful,  may  be  used  to  obtain  further  information  that 
might  be  helpful.  Then  the  attacker  uses  one  of  a  number  of  techniques  to  achieve  their 
objective. 

In  Figure  5,  there  are  four  main  categories  of  attack  techniques.  They  are 
deception,  causing  to  believe  what  is  not  true;  influence,  to  sway  or  affect  based  on 
prestige,  wealth,  ability,  or  position;  persuasion,  to  induce  to  undertake  a  course  of  action 
by  means  of  argument,  reasoning,  or  entreaty;  and  manipulation,  to  falsify  for  malicious 
gain.  The  toolkit  of  a  social  engineering  attack  includes  the  tactics  of  friendliness, 
conformity,  decoying,  diffusion  of  responsibility,  reverse  social  engineering,  consistency, 
scarcity,  sympathy,  guilt,  equivocation,  ignorance,  and  affiliation.  Using  some 
combination  of  these  trust  ploys  to  achieve  one  or  more  of  these  attack  techniques,  the 
social  engineer  tries  to  gain  unauthorized  access  to  systems  or  information.  The  intent  is 
usually  to  commit  a  crime  such  as  fraud,  espionage,  identity  theft,  or  vandalism  of  a 
system  or  network.  Depending  on  the  size  and  other  characteristics  of  the  target 
information,  the  Attack  Model  can  recurse  until  the  goal  is  achieved. 
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V.  TAXONOMY  APPLIED  TO  MITNICK’S  EXAMPLES 


A.  INTRODUCTION 

We  can  use  the  models  given  in  Chapter  IV,  plus  the  taxonomies  discussed  in 
Chapters  II  and  III,  to  better  characterize  the  anecdotes  of  social-engineering  attacks 
given  in  (Mitnick,  2002).  Assessing  an  attack  with  this  encoding  will  enable  us  to 
pinpoint  areas  of  improvement  or  focus  our  attention  on  the  most  vulnerable  spots  that  a 
social  engineer  relies  on. 

B.  OUR  TAXONOMY  FOR  ENCODING  SOCIAL  ENGINEERING 

ATTACKS 

We  propose  four  main  dimensions  of  interest  in  determining  the  type  and  severity 
of  a  social  engineering  attack.  Our  goal  is  to  find  the  holes  and  propose  countermeasures 
or  prevention  techniques.  The  first  category  is  the  Target  of  interest: 

a)  Finance  (banks,  credit  card  vendors,  credit  agencies) 

b)  Commercial 

c)  Government 

d)  Infrastructure  provider  (hardware,  software,  communications) 

e)  Infrastructure 

The  second  category  is  the  Type  of  Deception  from  the  associated  semantic  case  or  set  of 
cases  in  (Rowe,  2006): 

Space: 

1)  Direction,  of  the  action 

2)  Location-at,  where  something  occurred 

3)  Location-from,  where  something  started 

4)  Location-to,  where  something  finished 

5)  Location-through,  where  some  action  passed  through 

6)  Orientation,  in  some  space 
Time: 

7)  Frequency,  of  occurrence  of  a  repeated  action 

8)  Time-at,  time  at  which  something  occurred 

9)  Time-from,  time  at  which  something  started 
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10)  Time-to,  time  at  which  something  ended 

11)  Time-through,  time  through  which  something 
Participant 

12)  Agent,  who  initiates  the  action 

13)  Beneficiary,  who  benefits 

14)  Experiencer,  who  senses  the  action 

1 5)  Instrument,  what  helps  accomplish  the  action 

16)  Object,  what  the  action  is  done  to 

17)  Recipient,  who  receives  the  action 
Causality: 

1 8)  Cause 

19)  Contradiction,  what  this  action  opposes  if  anything 

20)  Effect 

21)  Purpose 
Quality: 

22)  Accompaniment,  an  additional  object  associated  with  the  action 

23)  Content,  what  is  contained  by  the  action  object 

24)  Manner,  the  way  in  which  the  action  is  done 

25)  Material,  the  atomic  units  out  of  which  the  action  is  composed 

26)  Measure,  the  measurement  associated  with  the  action 

27)  Order,  with  respect  to  other  actions 

28)  Value,  the  data  transmitted  by  the  action  (the  software  sense  of  the  term) 

Essence: 

29)  Supertype,  a  generalization  of  the  action  type 

30)  Whole,  of  which  the  action  is  a  part 
Speech-act  theory: 

31)  External  precondition  on  the  action  -  inserting  precondition  when  non-existent 

32)  Internal  precondition,  on  the  ability  of  the  agent  to  perform  the  action  -  new  hire 
employee 

The  third  category  is  the  particular  Resource  or  Target  Information : 

A)  Identification  -  password/intemal  code,  username,  employee  #/ID 
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B)  Affiliation  status  -  entrance  badge,  other  company  employees 

C)  Internal  information  -  contact  information,  authority  name(s),  account 
information,  process  information,  work  schedule,  organizational  chart,  company 
directory,  hardware/software/application  information,  access  procedure 

D)  Data/product  movement/change/software  install/hardware  install 

E)  Trust 

The  fourth  category  is  the  Trust  Ploy  taken  from  Chapter  II: 

i)  Reverse  social  engineering 

ii)  Commitment/Consistency 

iii)  Authority 

iv)  Friendliness 

v)  Scarcity 

vi)  Conformity 

vii)  Sympathy 

viii)  Guilt 

ix)  Diffusion  of  Responsibility 

x)  Decoy 

xi)  Equivocation 

xii)  Ignorance 

xiii)  Affiliation 

C.  ENCODING  OF  THE  MITNICK  ANECDOTES 

(Mitnick,  2002)  is  a  classic  summary  of  social-engineering  techniques,  but  its 
anecdotal  nature  makes  it  hard  to  infer  principles  of  social  engineering  from  it.  So  we 
encoded  each  of  the  anecdotes  using  our  taxonomy,  described  in  the  previous  section,  in 
order  to  better  see  patterns.  As  an  example,  we  will  encode  the  Swiss  Bank  Anecdote 
using  the  four  main  dimensions  of  interest  in  determining  the  type  of  social  engineering 
attack. 

1)  Swiss  Bank  Account,  pg  4:  target  -  a 

a)  Obtain  daily  code:  21  Ax, xii 

b)  Request  transfer:  12Dvi 
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Since  the  goal  was  to  get  $10,  200,  000  wired  to  a  Swiss  bank  account,  the  Target 
dimension  is  encoded  as  (a)  for  Finance.  There  are  two  information-gathering  objectives 
required  for  the  end-goal  to  be  achieved.  First,  the  social  engineer  needs  to  obtain  the 
daily  code  to  authorize  the  wire  transfer.  To  obtain  the  code,  the  attacker  impersonated 
an  IT  staff  member  who  needed  to  look  at  the  operating  procedures  for  the  back-up 
system  of  the  wire  room.  This  is  entails  deception  of  Purpose,  (21)  in  our  encoding.  The 
(A)  signifies  that  the  Target  Information  was  Identification.  The  Trust  Ploys  used  in  this 
objective  were  Decoying,  distracting  the  employees  in  the  wire  room  with  his  deceptive 
purpose,  (x),  and  Ignorance,  exploiting  the  employee’s  thinking  that  the  daily  codes  are 
unimportant  in  that  they  were  posted  out  in  the  open,  (xii). 

Second,  the  social  engineer  must  request  the  wire  transfer  of  money.  The  social 
engineer  used  deception  of  Agent,  (12),  because  he  represented  himself  to  the  bank 
representative  as  an  employee  in  the  bank’s  International  Department.  The  Target 
Information  in  this  objective  was  the  movement  of  money,  electronically  which  we 
encoded  as  (D).  The  Trust  Ploy  that  the  social  engineer  exploited  in  this  attack  is 
Conformity  in  that  the  bank  representative  simply  did  what  she  thought  was  regular  daily 
operations,  (vi). 

Below  are  the  encodings  for  the  rest  of  the  Mitnick  examples. 

2)  Creditchex,  pg  16:  Creditchex  concerns  a  private  investigator’s  obtaining  credit 
information  of  a  husband  that  left  his  wife,  taking  all  their  savings. 

Target:  a 

a)  Get  industry  terminology:  21Eiv,xii 

b)  Obtain  current  merchant  ID:  21Cx,xii 

3)  Engineer  Trap,  pg  22:  Engineer  Trap  explains  how  an  employment  agency  seeks  out 
qualified,  already  employed  electrical  engineers  for  a  start-up  company. 

Target:  b 

a)  Get  Accounts  Receivable  contact  #:  21Cii,iv,xii 

b)  Get  cost  center  #:  21Cii,iv,x,xii 

c)  Get  dept  to  call  for  directory:  12Biv,vii,x,xii 

d)  Obtain  directory  mailed:  21Dii,iv,x 
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4)  Obtain  employee  #,  pg  26:  This  anecdote  describes  how  to  obtain  a  valid  employee 
number  by  claiming  a  clerical  error  exists.  (dl2Aiv,x,xii) 

5)  Obtain  unlisted  contact  #,  pg  3 1 :  To  obtain  a  non-published  number,  simply  pose  as 
an  overworked  fellow  employee  needing  a  little  help  to  accomplish  a  heavy-duty 
assignment  in  the  field.  (dl2Civ,vii,x,xii) 

6)  State  talk  to  FBI  database,  pg  33:  This  illustrates  how  a  social  engineer  finds  out  if 
the  state  department  communicates  with  the  FBI  for  hiring.  (cl2Cx) 

7)  Obtain  Test  Number  Directory,  pg  35:  The  story  tells  how  one  would  go  about 
obtaining  a  prized  directory  listing  telephone  numbers  used  by  phone  technicians. 
(d21Cix,xii) 

8)  Obtain  customer  information,  pg  36:  To  obtain  personal  information  on  a  customer  of 
a  gas  company,  simply  pose  as  a  co-worker  without  computer  access  due  to  a 
malicious  software  attack.  (d21Cii,iv,vii,xii) 

9)  Video  Store,  pg  42:  This  illustrates  how  easy  it  is  for  a  social  engineer  to  obtain  your 
credit  card  information  from  a  video  store  over  the  telephone. 

TargetT  -  a 

a)  Get  store  manager  info:  21Biv,vi,xii 

b)  Obtain  credit  card  info:  12Cii,iii,iv,vi,vii 

10)  Calling  plan,  pg  48:  This  story  explains  how  an  attacker  obtained  a  free  cell  phone 
from  a  store  representative. 

Target  -  b 

a)  Get  employee  schedule:  21Biv,vi 

b)  Obtain  phone  for  free:  12Ciii,iv,vi,vii 

1 1)  Network  Outage,  pg  55:  This  example  of  reverse  engineering  shows  the  steps  for 
making  a  victim  ask  the  attacker  for  IT  help. 

Target  -  e 

a)  Get  port  #:  12Ci,iii,iv,vi 

b)  Cause  network  outage:  21Eiii,vi 

c)  Requests  help  from  target:  18Ei,iii,vi 

d)  Download  malware:  18Diii,ix 
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12)  Who’s  new,  pg  61:  This  anecdote  describes  the  simple  steps  to  obtain  the  names  of 
new  employees.  (d21Ciii,iv,vi) 

13)  Obtain  password,  pg  62:  This  encoding  illustrates  how  a  social  engineer  poses  as  a 
helpful  IT  staff  member  to  gather  authentication  credentials  from  unsuspecting  users. 
(e21Ai,iii,iv,vi) 

14)  Proprietary  information,  pg  65:  Some  attacks  are  more  involved  than  others.  This 
anecdote  discusses  the  steps  taken  to  get  an  account  with  privileged  access. 

Target  -  e 

a)  Get  associated  people’s  info:  21Biv,vi,xii 

b)  Get  computer  system’s  name:  12Ciii,vi,xii 

c)  Obtain  names  and  e-mails  faxed:  21Ciii,vi,xii 

d)  Get  external  dial  up  #:  12Cvi,vii 

e)  Get  a  password  from  UNIX’s  hashed  file:  n/a 

f)  Obtain  authorized  username  and  password:  21Ai,iii,v,vi,vii,viii,x 

The  next  two  social  engineering  attacks,  1 5  and  1 6,  describe  how  to  gain  access  to  anan 

organization’s  internal  network. 

15)  WAN  access,  pg  77:  target  -  d 

a)  Get  employee  name  from  receptionist:  22Axii 

b)  Get  employee  number:  18 Ax 

c)  Obtain  dial  up  access:  12C  “asked  for  it” 

16)  Encryption  software,  pg  85:  target  -  d 

a)  Get  Secure  ID  token  access:  12Aix,xiii 

b)  Get  servers’  names:  12Cvi 

c)  Obtain  Telnet  access:  12Cxiii 

17)  Update  account  for  $5,  pg  97:  Five  dollars  is  a  trivial  amount,  but  this  story  shows 
how  it  can  lure  a  user  into  giving  away  their  personal  account  information. 
(a29Cx,xii,xiii) 

18)  Getting  on  the  A-list,  pg  106:  This  illustrates  how  easy  it  is  to  obtain  entrance 
credentials  for  a  movie  studio.  (b32Biv,vii,xiii) 
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19)  Getting  cheating  ex’s  unlisted  number,  pg  108:  Being  female,  friendly,  and 
knowledgeable  about  industry  “lingo”  will  get  you  many  things,  including  an  ex¬ 
boyfriend’s  unlisted  telephone  number.  (d21Ciii,x) 

20)  Need  report  yesterday,  pg  111:  This  describes  the  affects  of  using  authoritative 
intimidation  to  obtain  a  proprietary  report.  (e31Diii,xiii) 

21)  Public  servant  in  need,  pg  112:  This  story  shows  that  government  systems  can  be 
attacked  by  exploiting  sympathy  and  people’s  willingness  to  help.  (cl8Bvii,xiii,iv) 

22)  Lucky  Monday,  pg  117:  This  describes  how  a  helpful  social  engineer  gets  an 
unsuspecting  employee  to  change  her  password  just  long  enough  for  him  to  get  access 
using  her  account  information.  (el9Di,iii,iv,xiii) 

23)  Am  I  wanted,  pg  121 :  This  story  tells  how  a  criminal  finds  out  if  there  is  a  warrant 
out  for  his  arrest. 

Target  -  c 

a)  Get  warrant:  2 1  Cxiii,iii,vi,vii 

b)  Reroute  fax:  13Cxiii,vi,vii 

24)  Stealing  a  degree,  pg  125:  Identity  theft  is  shown  in  this  story;  the  attacker  steals 
personal  information  from  a  graduate  that  shares  his  name. 

Target  -  e 

a)  Get  server  name:  12Ciii,xiii 

b)  Get  authorized  username  and  password:  2 1  Axii 

c)  Get  database  procedure:  18Cvii,xiii 

D.  SUMMARY  STATISTICS 

For  our  summary  statistics,  we  list  the  total  counts  of  occurrences  for  each  item. 

Target  of  interest:  Throughout  (Mitnick,  2002),  we  assessed  24  targets  of  interests. 

a)  Finance  -  4 

b)  Commercial  -  3 

c)  Government  -  3 

d)  Infrastructure  provider  -  8 

e)  Infrastructure  -  6 

Type  of  Deception :  Among  the  24  targets  of  interest,  there  were  45  instances  of 
deception  steps  that  warrant  labeling. 
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Space: 

1)  Direction,  of  the  action  -  0 

2)  Location-at,  where  something  occurred  -  0 

3)  Location- from,  where  something  started  -  0 

4)  Location-to,  where  something  finished  -  0 

5)  Location-through,  where  some  action  passed  through  -  0 

6)  Orientation,  in  some  space  -  0 
Time: 

7)  Frequency,  of  occurrence  of  a  repeated  action  -  0 

8)  Time-at,  time  at  which  something  occurred  -  0 

9)  Time-from,  time  at  which  something  started  -  0 

10)  Time-to,  time  at  which  something  ended  -  0 

11)  Time-through,  time  through  which  something  -  0 
Participant 

12)  Agent,  who  initiates  the  action  -  15 

13)  Beneficiary,  who  benefits  -  1 

14)  Experiencer,  who  senses  the  action  -  0 

15)  Instrument,  what  helps  accomplish  the  action  -  0 

16)  Object,  what  the  action  is  done  to  -  0 

1 7)  Recipient,  who  receives  the  action  -  0 
Causality: 

18)  Cause  -  5 

19)  Contradiction,  what  this  action  opposes  if  anything  -  1 

20)  Effect  -  0 

21)  Purpose  -  19 
Quality: 

22)  Accompaniment,  an  additional  object  associated  with  the  action  -  1 

23)  Content,  what  is  contained  by  the  action  object  -  0 

24)  Manner,  the  way  in  which  the  action  is  done  -  0 

25)  Material,  the  atomic  units  out  of  which  the  action  is  composed  -  0 

26)  Measure,  the  measurement  associated  with  the  action  -  0 
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27)  Order,  with  respect  to  other  actions  -  0 

28)  Value,  the  data  transmitted  by  the  action  -  0 
Essence: 

29)  Supertype,  a  generalization  of  the  action  type  -  1 

30)  Whole,  of  which  the  action  is  a  part  -  0 
Speech-act  theory: 

31)  External  precondition  on  the  action  -  1 

32)  Internal  precondition  -  1 

Resource  or  Target  Information :  Each  of  the  45  instances  of  labeled  deception  steps  are 
accompanied  by  corresponding  target  information. 

A)  Identification  -  8 

B)  Affiliation  status  -  6 

C)  Internal  information  -  23 

D)  Data/product  movement/change/software  install/hardware  install  -  5 

E)  Trust  -  3 

Trust  Ploy.  Because  each  attack  step  can  use  any  combination  of  close  access  techniques, 
each  of  the  45  instances  of  labeled  deception  steps  are  accompanied  by  various  sets  of 
trust  ploys. 

i)  Reverse  social  engineering  -  5 

ii)  Commitment/Consistency  -  5 

iii)  Authority  -  1 5 

iv)  Friendliness  -  16 

v)  Scarcity  -  1 

vi)  Conformity  -  1 8 

vii)  Sympathy  -  12 

viii)  Guilt  -  1 

ix)  Diffusion  of  Responsibility  -  2 

x)  Decoy  -  12 

xi)  Equivocation  -  0 

xii)  Ignorance  -  17 

xiii)  Affiliation  -  1 1 
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E.  COUNTERMEASURES  FROM  EXPERIMENT 

Within  the  Target  category,  the  Infrastructure  Provider  was  the  most  targeted 
institution.  This  is  only  logical  from  a  social-engineering  standpoint  because  attackers 
need  insider  information;  the  bulk  of  an  attack  is  gathering  enough  background 
information  to  be  reputable.  Infrastructure  providers  often  hold  the  key  to  intermediary 
access.  The  key  to  attack  prevention  within  these  companies  is  awareness.  On-going, 
relevant  education  about  social  engineering  vulnerabilities  must  be  enforced  as  a  critical 
company  policy  that  is  supported  throughout — from  CEO  down  to  line  employees.  More 
about  this  prevention  method  is  presented  in  Chapter  IV. 

Among  the  Types  of  Deception,  deception  of  Agent  and  deception  of  Purpose  are 
the  most  prevalent.  “Identification  of  participants  responsible  for  actions  (‘agents’)  is  a 
key  problem  in  cyberspace,  and  is  an  easy  target  for  deception.  Deception  in. .  .purpose. . . 
is  important  in  many  kinds  of  social-engineering  attacks  where  false  reasons  like  ‘I  have 
a  deadline’  or  ‘It  didn't  work’  are  given  for  requests  for  actions  or  information  that  aid  the 
adversary  (Rowe,  2006)”.  Since  recognition  is  the  first  step  to  prevention,  multimodal 
training  must  be  implemented  to  help  employees  recognize  a  social  engineer  via  an 
understanding  of  typical  personae  and  the  reasons  commonly  used  to  obtain  illicit 
information  from  authorized  users.  Multimodal  training  includes  interactive  computer 
case-studies,  live  acting  of  scenarios,  picture(s)  of  phishing  e-mails  and  phony  websites, 
and  audio  clips  of  what  a  social  engineer  would  sound  like  over  the  phone.  Similarly  to 
how  firefighters  are  trained  for  their  life-saving  jobs,  employees  must  realize  that  a 
social-engineering  attack  can  result  in  a  fatality  by  leaking  classified  information  about 
national  security. 

In  the  Target  Information  category,  attacks  to  gain  Internal-Information  are  the 
most  common.  Similar  to  how  Infrastructure  Providers  are  the  center  of  attention  among 
institutions;  this  class  of  information  is  most  vulnerable  to  attack  due  to  its  value  in 
fostering  trust  and  reputation  for  a  social  engineer. 

Finally,  Conformity  and  Ignorance  are  the  traits  most  susceptible  to  a  social¬ 
engineering  attack.  The  natural  human  tendency  to  do  as  others  do,  combined  with  the 
notion  that  the  information  they  possess  is  innocuous,  can  be  dangerous  when  exploited 
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by  an  attacker  seeking  prohibited  information.  Having  policy  ingrained  into  everyday 
operations  will  lessen  the  burden  of  targeted  victims  to  make  decisions  when  under  attack 
by  a  preying  social  engineer.  Additionally,  awareness  and  multimodal  training  may 
effectively  counter  Internal  Information,  Conformity,  and  Ignorance  risks.  The  key  is 
defense  in  depth  with  organization-wide  buy-in  and  participation. 
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VI.  CONCLUSION  AND  FUTURE  WORK 


With  our  ever-increasing  dependence  on  rapidly  advancing  technology,  there  is 
no  single  method  that  will  fully  protect  against  security  threats,  especially  social¬ 
engineering  threats.  It  is  harder  to  protect  yourself  against  social  engineering  than  against 
malicious  software  attacks.  Since  social-engineering  is  not  as  predictable  as  a  virus 
outbreak,  it  is  important  to  always  keep  in  mind  that  it  can  strike  anybody  at  any  time. 
Additionally,  software  has  limited  ways  to  execute  while  a  social  engineer  can  attack 
from  many  different  angles.  Fortunately,  there  are  ways  to  reduce  the  possibility  of 
successful  social-engineering  attacks.  Defense-in-depth  with  constant  vigilance  and 
multimodal  training,  coupled  with  strong  policy,  will  usually  be  the  best  defense  strategy. 
A.  RECOMMENDATIONS  FROM  EXPERIMENT 

We  have  presented  a  taxonomy  that  should  be  useful  for  modeling  and  assessing  a 
social-engineering  attack.  Based  on  the  two  models,  Trust  and  Attack,  we  propose  these 
actions  to  harden  security  in  their  specific  areas. 

Given  the  Trust  Model,  initial  prevention  methods  can  be  taken  at  the  step  where 
the  Trustee  Researches  and  Studies  the  Situation  and  Trustor.  An  organization  should  be 
particularly  careful  about  what  is  provided  on  the  organization's  or  personnel’s  websites. 
Posting  organizational  charts  or  lists  of  key  personnel  and  computer  administrators 
should  be  avoided.  Also,  any  document  that  is  discarded  that  may  contain  proprietary, 
sensitive,  or  personal  data  should  be  shredded. 

When  the  trustee’s  trustworthiness  is  in  question,  i.e.  an  information  requester  that 
is  slight  suspicious,  personnel  should  never  provide  personal  information  or  information 
about  the  organization,  including  the  structure  of  your  networks,  to  anyone  unless  that 
person’s  authority  to  have  that  information  is  verified.  Unsolicited  e-mail  messages, 
phone  calls,  or  visits  from  individuals  asking  about  employees  or  other  internal 
information  should  be  treated  as  suspicious.  If  dealing  with  an  unknown  person  claiming 
to  be  from  a  legitimate  organization,  verify  their  identity  directly  with  that  organization. 

In  the  attack  model,  the  steps  represented  with  a  circle  are  focus  areas  where 
preventive  measures  and  awareness  can  lessen  the  chances  for  a  successful  social- 
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engineering  attack.  At  Goal  Researched,  similar  preventive  steps  to  those  mentioned 
above  that  will  help  keep  information  away  from  the  attacker  are  recommended.  Before 
the  implementation  of  the  Trust  Model  to  obtain  needed  trust  from  the  victim,  recognition 
tactics  would  help  prevent  would-be  victims  from  believing  deceptions  so  readily.  One 
tactic  would  be  to  focus  on  signs  that  the  requester  has  harmful  intentions,  e.g.  the  refusal 
to  give  contact  information,  rushing,  name-dropping,  intimidation,  requesting  odd 
information,  and  uncommon  flattery.  Additionally,  security  policy  should  somehow  be 
automated  so  that  the  guesswork  and  decision-making  responsibility  is  removed  from  the 
human  victim.  To  counter  a  social  engineer  from  Technically  Attacking  the  System  or 
Network,  encryption,  intrusion-detection  tools  and  auditing  of  account  access  will  help 
prevent  a  hacker  from  gaining  access  or  slow  him  down  long  enough  to  allow  system 
administrators  can  fight  them  directly. 

B.  CONSTANT  VIGILANCE 

In  addition  to  the  countering  techniques  developed  from  the  modeling  of  social 
engineering,  one  of  the  most  effective  countermeasures  is  having  well-educated,  security¬ 
conscious  employees.  All  employees  throughout  the  organization  need  to  be  aware  of  the 
risks  and  remain  vigilant  (Barber,  2001).  The  security  policies  and  procedures  should  be 
taught  to  every  new  employee  and  repeated  periodically  for  the  entire  organization.  To 
repeatedly  train  employees  is  important  to  keeping  their  social-engineering  awareness  at 
a  constant,  high  level. 

Stolen  data  could  result  in  company  closure  and  many  unemployed  personnel. 
When  educating  employees,  it  is  not  sufficient  to  simply  tell  them  how  they  should 
behave.  It  is  essential  that  they  are  aware  of  the  reasons  for  the  education  and  fully 
believe  in  the  value  of  the  time  and  effort  put  forth.  This  is  the  reason  employee  buy-in  is 
necessary  to  maintain  a  security-motivated  team.  All  employees  must  understand  why 
they  should  behave  in  a  certain  way.  It  is  critical  that  management,  as  well  as  the  rest  of 
the  organization,  fully  recognize  and  appreciate  the  awareness  program.  There  is  no 
substitute  for  knowledgeable  employees  that  realize  the  interdependency  of  their 
everyday  actions  with  those  of  the  rest  of  the  organization. 

Since  social  engineers  can  attack  any  employee  when  attempting  to  gain  illicit 
information,  all  employees  should  understand  the  social  engineer’s  methods  of  attack  and 
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be  aware  of  whom  to  trust  when  a  problem  occurs.  Accountability  is  of  key  importance, 
and  all  employees  should  be  responsible  for  all  information  they  hold.  Because  social 
engineers  use  deception  as  their  main  tool,  it  is  important  to  be  observant  when  giving  out 
information.  Without  exception,  it  is  essential  to  authenticate  the  receiver  of  the 
information,  since  a  social  engineer  often  impersonates  in  order  to  deceive  the  victim. 

Security  is  vital  to  continued  business  success.  As  such,  we  recommend  using 
some  combination  of  the  following  tools:  videos,  newsletters,  brochures,  signs,  posters, 
screensavers,  note  pads,  t-shirts,  stickers,  pictures  of  e-mail  phishing,  and  audio  clips.  A 
problem  with  the  tools  that  the  employees  see  every  day  is  that  they  become  monotonous 
and  eventually  ignored.  Therefore,  educational  material  needs  to  appeal  to  all  the  senses 
and  frequently  be  changed  to  be  most  useful.  In  addition  to  these  awareness  tools,  an 
internal  website  dedicated  to  security  information,  including  social-engineering 
information,  is  a  good  way  to  keep  all  personnel  informed,  educated  and  vigilant. 
Authentic  stories  of  social-engineering  attacks,  safety  tips  and  informational  stories 
posted  on  the  intranet  or  in  e-mail  are  helpful  for  educating  employees  regarding  social¬ 
engineering  risks.  Using  authentic  stories  when  educating  employees  increases  their 
resistance  to  social-engineering  exploits  (Arthurs,  2002). 

C.  MULTIMODAL  TRAINING 

Another  very  efficient  countermeasure  to  social  engineering  is  multimodal 
training.  The  training  that  firefighters  go  through,  in  order  to  be  competent  when  fire 
strikes,  can  save  lives.  Similarly,  the  training  that  employees  within  an  organization 
receive  can  impede  a  social  engineer  from  accessing  secured  computer  networks  and 
threaten  national  security,  which  can  also  save  lives.  If  we  agree  that  prevention  and 
countering  social-engineering  attacks  is  essential  for  operational  security,  we  must  train 
with  techniques  analogous  to  those  used  to  train  firefighters. 

Multimodal  training  is  simulated  training  that  incorporates  scenario-based 
learning  with  live  attacker-victim  interactions.  Scenario-based  learning  occurs  in  a 
context,  situation,  or  social  framework.  It  is  based  on  the  theory  of  situated  cognition, 
which  states  that  knowledge  cannot  be  known  and  fully  understood  independent  of  its 
context  (Kindley,  2002).  Rather  than  simply  making  employees  sit  through  boring  one¬ 
way  lectures,  using  interactive  two-way  simulations  better  conveys  the  dynamic  nature  of 
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social-engineering  attacks.  Live-action  scenarios  enable  the  participants  to  more 
realistically  experience  social-engineering  attacks.  The  participant  learns  to  react 
appropriately  through  recognition  and  practice. 

Multimodal  training  is  based  on  interactive  scenarios  which,  in  turn,  are  grounded 
in  the  underlying  close-access  techniques  that  are  utilized  by  social  engineers  in  the 
situations  described  above.  Since  it  is  not  possible  to  create  all  possible  social¬ 
engineering  scenarios,  it  is  sufficient  to  strive  for  scenarios  that  are  as  realistic  as  possible 
and  that  exemplify  how  the  close-access  techniques  are  carried  out  in  different  situations 
and  for  different  target  victims.  The  participant’s  level  of  preparedness  concerning  how 
to  handle  real-life  attacks  can  be  dramatically  increased  given  sufficient  practice.  In  order 
for  this  to  work,  however,  the  practice  environment  must  be  as  similar  as  possible  to  the 
situations  they  are  likely  to  encounter  in  the  real  world  (Rotem,  2005). 

This  type  of  training  requires  the  learner  to  take  action  instead  of  simply  listening. 
These  exercises  utilize  more  of  the  five  senses  by  emulating  various  attack  situations. 
Using  audio,  visual,  a  simulated  attacker  and  a  simulated  environment,  the  interactive 
training  could  present  illicit  requests  and  highlight  the  appropriate  choices  that  employees 
should  make  when  they  are  confronted  by  an  actual  social  engineer.  The  goal  is  for  this 
multimodal  training  to  take  people  from  a  state  of  not  knowing  how  to  act  in  an 
information-dispatching  situation  to  a  state  where  they  know  how  to  successfully  thwart 
social-engineering  attacks. 

D.  FUTURE  WORK 

Since  social  engineering  is  a  diverse  and  complex  phenomenon,  the  prevention 
and  countermodels  to  be  used  when  fighting  social  engineering  must  contend  with  this 
complexity.  The  overall  goal  of  the  educational  model  described  here  is  to  increase 
awareness  of  how  a  social  engineer  performs  an  attack  and  how  one  can  protect  against 
such  attacks.  Knowledge  of  attacks  is  helpful  in  fighting  them,  so  social-engineering 
attacks,  both  those  that  succeed  and  those  that  fail,  should  be  made  public  whenever 
possible.  Learning  from  mistakes  and  improving  prevention  must  override  any  concerns 
regarding  bad  reputation  or  loss  of  business. 
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Long-term  research  should  focus  on  educating  future  leaders  and  commanders 
concerning  the  social-engineering  threat.  Additionally,  organizational  policy  must  grant 
enough  authority  to  question  management  in  order  to  counter  the  attack  of  a  social 
engineer  impersonating  management.  With  these  defense-in-depth  recommendations, 
the  user  should  be  able  to  recognize  the  different  approaches  of  the  social  engineer  and  be 
able  to  act  accordingly.  Lastly,  research  into  the  methods  of  phishing  is  recommended. 
Phishing  is  one  of  the  most  prevalent  and  costly  forms  of  social  engineering  today,  and  its 
growth  represents  an  even  greater  threat  for  the  future. 
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